mysql attack

From: Pall Thayer (pall_at_fa.is)
Date: 07/19/05

  • Next message: Joel Esler: "Re: mysql attack"
    Date: Tue, 19 Jul 2005 15:30:37 +0000
    To: incidents@securityfocus.com
    
    

    Hi,
    I don't know much about diagnosing attacks but am just wondering if
    anyone has noticed something similar to what I'm seeing. For the past
    three days, a computer with IP number 60.48.15.154 has been bombarding
    my mysql server with connection attempts. None appear to be successful.
    I guess it's a brute force attempt but they're coming really fast and
    from various different ports on the other side. Really strange.

    best r.
    Pall Thayer

    I'm running Redhat 8 with mysql server 3.23.58. The mysql port is open
    to the outside world for several reasons. I know this is a bit of a
    no-no but that's just the way it is. I'm not really very worried about
    these attacks being successful. The server is very secure as far as
    passwords and limited users and services go but i'm curious as to what
    is going on and why they're targeting me.

    Here's a tcpdump of the traffic on the mysql port:

    15:22:18.297149 pallit.lhi.is.mysql > 60.48.15.154.2427: S
    3702188471:3702188471(0) ack 1223419901 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:18.297532 60.48.15.154.2253 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:18.726717 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:18.727164 pallit.lhi.is.mysql > 60.48.15.154.2427: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:19.155084 60.48.15.154.2427 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:19.155195 pallit.lhi.is.mysql > 60.48.15.154.2427: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:19.155268 pallit.lhi.is.mysql > 60.48.15.154.2427: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:19.155281 pallit.lhi.is.mysql > 60.48.15.154.2427: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:19.583862 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 45 win
    65491 <nop,nop,sack sack 1 {117:118} > (DF)
    15:22:19.584269 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:19.585087 60.48.15.154.2427 > pallit.lhi.is.mysql: F 24:24(0) ack
    118 win 65419 (DF)
    15:22:19.585106 pallit.lhi.is.mysql > 60.48.15.154.2427: . ack 25 win
    5840 (DF)
    15:22:19.585496 60.48.15.154.2587 > pallit.lhi.is.mysql: S
    1231026484:1231026484(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:19.585520 pallit.lhi.is.mysql > 60.48.15.154.2587: S
    3754800534:3754800534(0) ack 1231026485 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:20.011001 60.48.15.154.2587 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:20.011445 pallit.lhi.is.mysql > 60.48.15.154.2587: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:20.437733 60.48.15.154.2587 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:20.437840 pallit.lhi.is.mysql > 60.48.15.154.2587: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:20.437909 pallit.lhi.is.mysql > 60.48.15.154.2587: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:20.437923 pallit.lhi.is.mysql > 60.48.15.154.2587: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:20.866508 60.48.15.154.2587 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:20.866537 pallit.lhi.is.mysql > 60.48.15.154.2587: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:20.867327 60.48.15.154.2753 > pallit.lhi.is.mysql: S
    1239344205:1239344205(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:20.867350 pallit.lhi.is.mysql > 60.48.15.154.2753: S
    3750552724:3750552724(0) ack 1239344206 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:20.867735 60.48.15.154.2587 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:21.293241 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:21.296430 pallit.lhi.is.mysql > 60.48.15.154.2753: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:21.722424 60.48.15.154.2753 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:21.722536 pallit.lhi.is.mysql > 60.48.15.154.2753: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:21.722596 pallit.lhi.is.mysql > 60.48.15.154.2753: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:21.722608 pallit.lhi.is.mysql > 60.48.15.154.2753: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:22.149566 60.48.15.154.2753 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:22.149592 pallit.lhi.is.mysql > 60.48.15.154.2753: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:22.150383 60.48.15.154.2916 > pallit.lhi.is.mysql: S
    1247383525:1247383525(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:22.150405 pallit.lhi.is.mysql > 60.48.15.154.2916: S
    3758586043:3758586043(0) ack 1247383526 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:22.150792 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 117 win
    65419 (DF)
    15:22:22.151609 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:22.575890 60.48.15.154.2916 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:22.577559 pallit.lhi.is.mysql > 60.48.15.154.2916: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:23.004256 60.48.15.154.2916 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:23.008453 pallit.lhi.is.mysql > 60.48.15.154.2916: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:23.008531 pallit.lhi.is.mysql > 60.48.15.154.2916: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:23.008546 pallit.lhi.is.mysql > 60.48.15.154.2916: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:23.435485 60.48.15.154.2916 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:23.435518 pallit.lhi.is.mysql > 60.48.15.154.2916: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:23.435893 60.48.15.154.3085 > pallit.lhi.is.mysql: S
    1255911271:1255911271(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:23.435918 pallit.lhi.is.mysql > 60.48.15.154.3085: S
    3759630820:3759630820(0) ack 1255911272 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:23.437119 60.48.15.154.2916 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:23.861399 60.48.15.154.3085 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:23.861850 pallit.lhi.is.mysql > 60.48.15.154.3085: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:24.288949 60.48.15.154.3085 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:24.289044 pallit.lhi.is.mysql > 60.48.15.154.3085: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:24.289103 pallit.lhi.is.mysql > 60.48.15.154.3085: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:24.289118 pallit.lhi.is.mysql > 60.48.15.154.3085: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:24.715681 60.48.15.154.3085 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:24.715710 pallit.lhi.is.mysql > 60.48.15.154.3085: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:24.716497 60.48.15.154.3249 > pallit.lhi.is.mysql: S
    1263954421:1263954421(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:24.716526 pallit.lhi.is.mysql > 60.48.15.154.3249: S
    3752740473:3752740473(0) ack 1263954422 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:24.716906 60.48.15.154.3085 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:25.143231 60.48.15.154.3249 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:25.143963 pallit.lhi.is.mysql > 60.48.15.154.3249: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:25.569966 60.48.15.154.3249 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:25.570068 pallit.lhi.is.mysql > 60.48.15.154.3249: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:25.570146 pallit.lhi.is.mysql > 60.48.15.154.3249: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:25.570159 pallit.lhi.is.mysql > 60.48.15.154.3249: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:25.999147 60.48.15.154.3249 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:25.999173 pallit.lhi.is.mysql > 60.48.15.154.3249: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:25.999963 60.48.15.154.3249 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:26.000372 60.48.15.154.3425 > pallit.lhi.is.mysql: S
    1272492900:1272492900(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:26.000395 pallit.lhi.is.mysql > 60.48.15.154.3425: S
    3708372058:3708372058(0) ack 1272492901 win 5840 <mss
    1460,nop,nop,sackOK> (DF)
    15:22:26.430784 60.48.15.154.3425 > pallit.lhi.is.mysql: . ack 1 win
    65535 (DF)
    15:22:26.431572 pallit.lhi.is.mysql > 60.48.15.154.3425: P 1:45(44) ack
    1 win 5840 (DF) [tos 0x8]
    15:22:26.857516 60.48.15.154.3425 > pallit.lhi.is.mysql: P 1:24(23) ack
    45 win 65491 (DF)
    15:22:26.859179 pallit.lhi.is.mysql > 60.48.15.154.3425: . ack 24 win
    5840 (DF) [tos 0x8]
    15:22:26.859295 pallit.lhi.is.mysql > 60.48.15.154.3425: P 45:117(72)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:26.859307 pallit.lhi.is.mysql > 60.48.15.154.3425: F 117:117(0)
    ack 24 win 5840 (DF) [tos 0x8]
    15:22:27.285883 60.48.15.154.3425 > pallit.lhi.is.mysql: F 24:24(0) ack
    117 win 65419 (DF)
    15:22:27.285908 pallit.lhi.is.mysql > 60.48.15.154.3425: . ack 25 win
    5840 (DF) [tos 0x8]
    15:22:27.286291 60.48.15.154.3425 > pallit.lhi.is.mysql: . ack 118 win
    65419 (DF)
    15:22:27.286699 60.48.15.154.3591 > pallit.lhi.is.mysql: S
    1280677001:1280677001(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    15:22:27.286723 pallit.lhi.is.mysql > 60.48.15.154.3591: S
    3762493586:3762493586(0) ack 1280677002 win 5840 <mss
    1460,nop,nop,sackOK> (DF)


  • Next message: Joel Esler: "Re: mysql attack"